The Identity Theft Resource Center (ITRC) announced on August 22, 2008 that the total number of data security breaches identified by the ITRC for 2008 has surpassed the final total of 446 security breaches reported in 2007. As of August 22, the number of confirmed data breaches for 2008 totaled 449. The ITRC notes, “[T]he actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events.” The report can be found on the ITRC’s Web site at idtheftcenter.org.
The breakdown of the most common known causes of the security breaches is as follows:
Lost or stolen laptops and other removable media |
21.2 percent |
Employee or insider theft |
15.6 percent |
Accidental disclosure |
13.8 percent |
Hacking |
12.9 percent |
Loss or disclosure by subcontractors |
10.9 percent |
Many companies believe the vast majority of security breaches come from hackers. The figures above illustrate, however, that security breaches due to hacking are a relatively small percentage of the overall total of security breach instances. The report demonstrates the importance of establishing effective data retention and security policies as well as the need to enforce compliance with those policies. While records/data storage and retention policies establish processes for minimizing malicious causes of security breaches (e.g., hacking and employee theft), policies also are particularly effective for reducing and avoiding “innocent” breaches (e.g., lost or stolen laptops or removable media, accidental disclosure, or loss or disclosure by subcontractors).
Accordingly, companies should ensure that their records/data storage and retention policies address, among other things:
- Training and education of employees on how to avoid the accidental exposure of confidential and sensitive information
- Restrictions on use of laptops, home PCs, and removable media (e.g., CD-ROMs, DVDs) for confidential and sensitive data, and provide for strong encryption of such information
- Procedures that address sharing sensitive data with independent contractors, consultants, and other third parties, and require such third parties to comply with the company’s data retention and storage policies
- Policies for development and implementation of appropriate technological and administrative safeguards to minimize malicious causes of security breaches (e.g., hackers and employee theft)
- Audit procedures to maximize compliance with the company’s policies
Legal News is part of our ongoing commitment to providing legal insight to our clients and our colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following individual:
Chanley T. Howell
Jacksonville, Florida
904.359.8745
[email protected]